A multi-layer framework for puzzle-based denial-of-service defense

International Journal of Information Security

Volumn 7, Issue 4, 2008, Pages 243-263

  Wang, XiaoFeng ^a   Reiter, Michael K ^b  

^a INDIANA UNIVERSITY   (United States)

^b CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Client puzzles; Denial of service; Network protocols

Indexed keywords

ADMINISTRATIVE DATA PROCESSING; COMPUTER AIDED ANALYSIS; COMPUTER CRIME; COMPUTER SYSTEMS; COSTS; ELECTRIC BREAKDOWN; FINANCE; INTERNET PROTOCOLS; LEGACY SYSTEMS; MANAGEMENT INFORMATION SYSTEMS; RESEARCH; SECURITY OF DATA; TELECOMMUNICATION NETWORKS;

APPLICATION PROTOCOLS; CLIENT PUZZLES; CONGESTION PUZZLES; DENIAL OF SERVICE (DOS); DENIAL OF SERVICE (DOS) ATTACKS; DOS ATTACKS; DOS DEFENSE; END TO END (ETE); INCREMENTAL DEPLOYMENT; MALWARE; MULTILAYER (ML); PROTOCOL STACKS; RESEARCH RESULTS;

NETWORK ARCHITECTURE;

EID: 47649085264     PISSN: 16155262     EISSN: 16155270     Source Type: Journal    
DOI: 10.1007/s10207-007-0042-x     Document Type: Article

References (64)

1. The network simulator - ns-2. http://www.isi.edu/nsnam/ns/
2. Overview of cisco 7500 series router. http://www.cisco.com/en/US/ products/hw/routers/ps359/prod_brochure09186a00800 9200c.html
3. Abadi, M., Burrow, M., Manasse, M., Wobber, T.: Moderately hard, memory-bound functions. In: Proceedings of the 10th Annual Network and Distributed System Security Symposium (2003)
4. Adkins, D., Lakshminarayanan, K., Perrig, A., Stoica, I.: Taming ip packet flooding attacks. In: Proceedings of Workshop on Hot Topics in Networks (HotNets-II). November (2003)
5. Adler, M.: Tradeoffs in probabilistic packet marking for IP traceback. In: Proceedings of 34th ACM Symposium on Theory of Computing (STOC-02) (2002)
6. Andersen, D.: Mayday: Distributed filtering for internet services. In: Proceeding of USITS (2003)
7. Anderson, T., Roscoe, T., Wetherall, D.: Preventing internet denial-of-service with capabilities. In: Proceedings of Workshop on Hot Topics in Networks (HotNets-II), November 2003
8. Argyraki, K., Cheriton, D.R.: Network capabilities: The good, the bad and the ugly. In: Proceedings of the 4th Workshop on Hot Topics in Networks, November 2005
9. Aura, T., Nikander, P., Leiwo, J.: Dos-resistant authentication with client puzzles. In: Proceedings of the Cambridge Security Protocols Worshop 2000. LNCS. Springer, Heidelberg (2000)
10. Internet Assigned Numbers Authority. ICMP type numbers. November, 2003. http://www.iana.org/assignments/icmp-parameters
11. Bellare, M., Rogaway, PA: Random oracle are practical: a paradigm for designing efficient protocols. In: Proceedings of First ACM Annual Conference on Computer and Communication Security (1993)
12. Bellovin, S.: Defending against sequence number attacks. In: RFC 1948, May 1996
13. Bellovin, S., Leech, M., Taylor, T.: The ICMP traceback messages. In: Internet-Draft, draft-ietf-itrace-01.txt, December 1999. ftp:// ftp.ietf.org/internet-drafts/draft-ietf-itrace-01.txt
14. Bloom B.H. (1970). Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7): 422-426
15. Boneh, D., Naor, M.: Timed commitments (extended abstract). In: Proceedings of Advances in Cryptology - CRYPTO'00. Lecture Notes in Computer Science, vol. 1880, pp. 236-254. Springer, Heidelberg (2000)
16. Burch, H., Cheswick, B.: Tracing anonymous packets to their approximate source. In: Proceedings of the 14th USENIX System Administration Conference, December 1999
17. Caida. Skitter. 2003. http://www.caida.org/tools/measurement/
18. CERT. Computer emergency response team, cert advisory ca-2001-01: Denial-of-service developments. 2000. http://staff.washington.edu/ dittrich/misc/ddos
19. CERT. Advisory CA-96.21: TCP SYN flooding and IP spoofing attacks. 24 September 1996
20. Crosby, S.A., Dan, S.: Wallach. Denial of service via algorithmic complexity attacks. USENIX Security (2003)
21. Dean, D., Franklin, M., Stubblefield, A.: An algebraic approach to IP traceback. In: Proceedings of Network and Distributed System Security Symposium (NDSS-01), February 2001
22. Dean, D., Stubblefield, A.: Using client puzzles to protect tls. In: Proceedings of 10th Annual USENIX Security Symposium (2001)
23. Theodore Diament, Homin K. Lee, Angelos D. Keromytis, and Moti Yung. The dual receiver cryptosystem and its applications. In: Proceedings of the 11th ACM conference on Computer and communications security. ACM Press, New York (2004)
24. Dietrich, S., Long, N., Dittrich, D.: Analyzing distributed denial of service attack tools: The shaft case. In: Proceedings of 14th Systems Administration Conference, LISA 2000 (2000)
25. Dittrich, D.: Distributed denial of service (ddos) attacks/tools resource page (2000) http://staff.washington.edu/dittrich/misc/ddos
26. Dwork, C., Naor, M.: Pricing via processing or combating junk mail. In: Brickell, E. (ed.) Proceedings of ADVANCES IN CRYPTOLOGY - CRYPTO 92. Lecture Notes in Computer Science, vol. 1328, pp. 139-147. Springer, Heidelberg (1992)
27. Feng, W.: The case for TCP/IP puzzles. In: Proceedings of ACM SIGCOMM Future Directions in Network Architecture (FDNA-03) (2003)
28. Feng, W., Kaiser, E., Luu, A.: Design and implementation of network puzzles. In: Proceedings of IEEE INFOCOM (2005)
29. Ferguson, P., Senie, D.: RFC 2267: Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing, January 1998. ftp://ftp.internic.net/rfc/rfc2267.txt, ftp:// ftp.math.utah.edu/pub/rfc/rfc2267.txt
30. Franklin, M.K., Malkhi, D.: Auditable metering with lightweight security. In: Hirschfeld, R. (ed.) Proceedings of Financial Cryptography 97 (FC 97). Lecture Notes in Computer Science. Springer, Heidelberg (1997)
31. Garay, J.A., Jakobsson, M.: Timed release of standard digital signatures. In: Proceedings of Financial Cryptography (2002)
32. Geng X. and Whinston A. (2000). Defeating distributed denial of service attacks. IEEE IT Profes. 2(4): 36-41
33. Gligor, V.G.: Guaranteeing access in spite of service-flooding attack. In: Hirschfeld, R. (ed.) Proceedings of the Security Protocols Workshop. Lecture Notes in Computer Science. Springer, Heidelberg (2004)
34. Goldschlag, D.M., Stubblebine, S.G.: Publically verifiable lotteries: Applications of delaying functions (extend abstract). In: Proceedings of Financial Cryptography (1998)
35. Houle, K., Weaver, G., Long, N., Thomas, R.: Trends in denial of service attack technology. October 2001. http://www.cert.org/archive/pdf/ DoS_trends.pdf
36. Ioannidis, J., Bellovin, S.: Implementing pushback: Router-based defense against ddos attacks. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS-02) (2002)
37. Jin, C., Wang, A., Shin, K.G.: Hop-count filtering: an effective defense against spoofed traffic. In: Proceedings of ACM CCS (2003)
38. Juels, A.A Brainard, J.: Client puzzle: a cryptographic defense against connection depletion attacks. In: Kent, S. (ed.) Proceedings of NDSS'99, pp. 151-165 (1999)
39. Keromytis, A., Misra, V., Rubenstein, D.: SOS: Secure overlay services. In: Proceedings of ACM SIGCOMM, August (2002)
40. Lemmon, J.: Resisting syn flood dos attacks with a syn cache. In: Leffler, S.J. (ed.) Proceedings of BSDCon 2002. USENIX, 2002, February 11-14
41. Li, J., Mirkovic, J., Wang, M.: Save: Source address validity enforcement protocol. In: Proceedings of IEEE INFOCOM (2002)
42. Mahajan R., Bellovin S., Floyd S., Ioannidis J., Paxson V. and Shenker S. (2002). Controlling high bandwidth aggregates in the network. CCR 32(3): 62-73
43. Meadows and C. (2001). A cost-based framework for analysis of denial of service networks. J. Comput. Secur. 9: 143-164
44. Merkle R.C. (1978). Secure communications over insecure channels. Commun. ACM 21: 294-299
45. Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, V., Rubenstein, D.: Using graphic turing tests to counter automated ddos attacks against web servers. In: Proceedings of ACM CCS (2003)
46. Postel, J.: RFC 792: Internet Control Message Protocol, September 1981. ftp://ftp.internic.net/rfc/rfc792.txt
47. Qie, X., Pang, R., Peterson, L.: Defensive programming: Using an annotation toolkit to build dos-resistant software. In: Proceedings of the 5th OSDI Symposium, December 2002
48. Rivest, R.L., Shamir, A., Wagner, D.: Time-lock puzzles and timed-release crypto. Manuscript, 10 March 1996
49. Sanchez, L., Milliken, W.C., Snoeren, A., Tchakountio, F., Jones, C., Kent, S., Partridge, C., Strayer, W.T.: Hardware support for a hash-based IP traceback. In: Proceedings of the DARPA Information Survivability Conference and Exposition II, DISCEX'01 2001.
50. Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network support for IP traceback. In: Proceedings of ACM SIGCOMM, August 2000
51. Schnackenberg, D., Djahandari, K., Sterne, D.: Infrastructure for intrusion detection and response. In: Proceedings of the DARPA Information Survivability Conference and Exposition 2000, March 2000
52. Snoeren, A., Partridge, C., Sanchez, L., Jones, C., Tchakountio, F., Kent, S., Strayer, W.T.: Hash-based IP traceback. In: Proceedings of the ACM SIGCOMM, August 2001
53. Song, D., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proceedings of IEEE INFOCOMM, April 2001
54. Stoica, I., Shenker, S., Zhang, H.: Core-stateless fair queueing: Achieving approximately fair bandwidth allocations in high speed networks. In: Proceedings of ACM SIGCOMM (1998)
55. Stone, R.: An IP overlay network for tracking dos floods. In: Proceedings of USENIX Security Symposium (2000)
56. Syverson, P.: Weakly secret bit commitment: Applications to lotteries and fair exchange. In: Proceedings of IEEE Computer Security Foundations Workshop (1998)
57. Touch, J.: RFC 1810: Report on MD5 performance, June 1995. ftp:// ftp.internic.net/rfc/rfc1810.txt, ftp://ftp.math.utah.edu/pub/rfc/ rfc1810.txt
58. von Ahn, L., Blum, M., Hopper, N., Langford, J.: Captcha: Using hard ai problems for security. In: Proceedings of Eurocrypt, pp. 294-311 (2003)
59. Wang, X.F., Reiter, M.: Defending against denial-of-service attacks with puzzle auctions. In: IEEE Symposium on Security and Privacy, May 2003
60. Wang, X.F., Reiter, M.: Mitigating bandwidth-exhaustion attacks using congestion puzzles. In: Proceedings of the 11th ACM conference on Computer and Communication Security, November 2004
61. Brent Waters, Ari Juels, J. Alex Halderman, and Edward W. Felten. New client puzzle outsourcing techniques for dos resistance. In: Proceedings of the 11th ACM conference on Computer and communications security. ACM Press (2004)
62. Yaar, A., Perrig, A., Song, D.: Pi: A path identification mechanism to defend against DDoS attacks. In: IEEE Symposium on Security and Privacy, May 2003. http://www.ece.cmu.edu/~adrian/projects/pi.ps
63. Yaar, A., Perrig, A., Song, D.: An endhost capability mechanism to mitigate DDoS flooding attacks. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2004
64. Yau, D., Liu, C., Liang, F.: Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles. In: Proceedings of IEEE International Workshop on Quality of Service (IWQoS-02) (2002)